The Data Protection Commission (DPC) has published guidance on transfers of personal data to the UK (including Northern Ireland) in the event of a "no deal" Brexit.
In a “no-deal” Brexit scenario, the UK will become a "third country" and transfers of personal data from Ireland to the UK will be treated in the same way as transfers of personal data to other countries outside the EU eg Australia or Brazil. In practice this means that an Irish company intending to transfer personal data to the UK will need to put in place specific safeguards. The guidance deals specifically with the use of “Standard Contractual Clauses” which is likely to be the approach adopted by most Irish businesses that transfer personal data to the UK.
Standard Contractual Clauses
The Standard Contractual Clauses (SCCs) consist of standard or template sets of contractual terms that the parties sign up to, to govern their relationship as data controller/processor. The SCCs can be adopted by putting in place a stand-alone or new contract between the Irish controller and the UK recipient/processor or by incorporating the SCCs into an existing contract.
In either case it's important to ensure that the other terms of the contract do not affect the operation of the SCCs, reduce data subject rights or reduce the level of protection which the UK entity is required to provide for the transferred data.
The guidance stresses the importance of ensuring that, operationally, transfers are conducted and managed in a way that ensures that personal data is at all times protected to the level contemplated by the GDPR. Irish entities transferring personal data to the UK will need to ensure that systems are put in place to allow for monitoring or checking the recipient's compliance with the SCCs.
Examples of transfers
The guidance sets out examples of data transfers, highlighting the wide range of transactions that might be caught. The examples include:
- outsourcing HR, IT or Payroll function to a UK based organisation
- using a UK based marketing company to send marketing communications
- occupational health provider/pension scheme based in the UK
- storing data in the UK on a server or in the cloud.
Explanation of SCCs
A sample set of Standard Contractual Clauses, which were developed by the European Commission, is attached to the guidance and the DPC provides an overview of the terms.